Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does splunk 6.x support DailyRollingFileAppender?

erickyi
Path Finder
‎03-13-2017 11:20 PM

I tried to setup $SPLUNK_HOME/etc/log.cfg to change its current logging (RollingFileAppender)

Attempt 1 - failed : encountered parsing errors
appender.A4=org.apache.log4j.DailyRollingFileAppender
appender.A1.File=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.DatePattern='.'yyyy-MM-dd

Attempt 2 - failed due to parsing errors
appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.filePattern=${SPLUNK_HOME}/var/log/splunk/splunkd.log-%d{yyyy-MM-dd}-%i

Help. what can i do to change the logging? I thought splunk supports the standard log4j 2

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-14-2017 04:22 PM

The short answer is that any appender other than the RollingFileAppender won't work.
While the configuration file suggests log4j use under the covers, that is not the case. The implementation was changed to remove a dependency on a 3rd-party library, but the cfg file structure was preserved.
The only supported file appender in the current implementation is the RollingFileAppender.

The only option is to rotate files outside of Splunk and hope that we can handle renaming an active log file transparently... 😉

View solution in original post

Reply
Solved! Jump to solution

erickyi
Path Finder
‎03-14-2017 06:04 PM

Thanks ssievert for the quick response and letting us know. Cheers 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-14-2017 04:22 PM

The short answer is that any appender other than the RollingFileAppender won't work.
While the configuration file suggests log4j use under the covers, that is not the case. The implementation was changed to remove a dependency on a 3rd-party library, but the cfg file structure was preserved.
The only supported file appender in the current implementation is the RollingFileAppender.

The only option is to rotate files outside of Splunk and hope that we can handle renaming an active log file transparently... 😉

Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 11:58 PM

Just to verify: In your first attempt, did you really use appender.A4=org.apache.... instead of appender.A1=org.apache....?

0 Karma
Reply
Solved! Jump to solution

erickyi
Path Finder
‎03-14-2017 12:00 AM

HI ssievert,

Yes, I tried both options ; org.apache.log4j.DailyRollingFileAppender and DailyRollingFileAppender
but unfortunately both failed

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-14-2017 12:08 AM

I just tried and getting Parse error at "appender.A1.DatePattern='.'yyyy-MM-dd" as well. I'll see what I can find out...

0 Karma
Reply
Solved! Jump to solution

erickyi
Path Finder
‎03-14-2017 12:37 AM

Thank you ssievert,

good that you confirmed my findings.

My objective is that if I have a daily rolling mechanism going, then it would be easy for me to backup the old logs incrementally (by date). If this is not possible, then I will use native unix technologies. i am getting there on my script.

Test: find $SPLUNK_HOME -name '*.log.?' -exec stat --printf="%y %n\n" {} \;|grep date +"%Y-%m-%d" |awk '{print $4}'

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...